Description
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 07 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generation that consumes the video owner's credits without consent. | |
| Title | Cap - Missing Access Control in Video AI Metadata Endpoint | |
| First Time appeared |
Capnproto
Capnproto capnproto |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Capnproto
Capnproto capnproto |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-07T22:20:25.363Z
Reserved: 2026-07-06T15:31:46.187Z
Link: CVE-2026-59704
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-862
Missing Authorization